When discussing malware, we tend to focus on the technical aspect of how a specific Trojan operates on an infected system. The processes executed by a malware variant, ranging from how it latches onto an infected device to how it manipulates the user into providing it with credentials, are just a small subset of the cybercrime ecosystem. Roughly eight years ago, a single operator would be in charge of everything from coding the malware to distributing it, including setting up command-and-control (C&C) servers, identifying infection points, working with money mules and more. Today, the whole process, or at least each individual element, can be easily outsourced.

Underground cybercrime forums offer professionals and amateurs alike a wide array of tools and services with varying prices and support levels. Some tools, such as malware samples, can be downloaded for free, while other elements of the fraud chain, such as cashing out via a mule account, come at a high cost due to scarce resources in the field. Almost any form of online fraud requires more than just one tool. Whether it is phishing, ransomware or financial crimeware, they need hosting sites, C&C servers and/or a cash-out methodology. Some underground services are now also sold as cloud services, offering easy access and added security.

The underground market is showing no signs of slowing down, but rather of adaptation to industry trends. Even services and tools described in the infographic above can be broken down and sold separately. For example, HTML injections, specific scripts, configuration services and more can all be purchased separately when designing the malware of choice. It is also worth noting that cybercriminals are not only discussing and selling financial fraud tools, but also advanced targeting tools and RATs, health care and insurance fraud tools and services and much more.

The current cybercrime ecosystem makes a wealth of options available to cybercriminals. Unfortunately, that drastically increases the scope and complexity of schemes that could target an organization. Thorough prevention and detection systems are needed to avoid these security problems, but they must be fortified with tools such as fraud protection for a comprehensive defense.

Read the white paper: The thriving malware industry – Cybercrime made easy

More from Advanced Threats

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today